If you are a hospital, you are undoubtedly aware that your organization is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). Another federal privacy and security law with which you may be less acquainted but with respect to which you may also be required to comply, however, is the Gramm-Leach-Bliley Act (GLBA).

The GLBA, also known as the Financial Services Modernization Act, was enacted by Congress back in 1999. Although this law has been around for nearly two decades, many organizations that are subject to GLBA do not realize that they are.

The GLBA regulates the collection, use, protection, and disclosure of consumer nonpublic personal information (NPI) by "financial institutions" and companies who receive NPI from financial institutions. Virtually any personally identifiable information about consumers that a financial institution has in its possession and that is not publicly available constitutes NPI, including:

  • Any information a consumer provided in order to receive a product or service from that financial institution, such as his or her name, address, phone number, or social security number;
  • Any information that the financial institution received about a consumer from a transaction involving its product or service, including the fact that the individual is a consumer of the financial institution; and
  • Any information that the financial institution received about a consumer from an outside source in connection with providing a given product or service, such as a consumer report from a credit reporting agency.

If you are like many hospitals, you are probably thinking, "We are a hospital, not a 'financial institution.'" Unfortunately, the GLBA's definition of "financial institution" is much broader than you might realize. Indeed, the GLBA defines a "financial institution" as any institution that is "significantly engaged" in "financial activities" as described in Section 4(k) of the Bank Holding Company Act of 1956. Some of these "financial activities" include lending money and providing consumer financing.

Whether an organization is "significantly engaged" in financial activities is a "facts and circumstances" determination. The Federal Trade Commission has enumerated two factors as being particularly important in determining whether an organization is "significantly engaged" in a financial activity. These factors are 1) the existence of a formal arrangement; and 2) the frequency with which a business engages in a "financial activity."

If your hospital allows long-term payment plans on which interest is routinely charged and which are memorialized in the form of written contracts, and if a significant number of patients take advantage of such plans, your hospital could very likely be subject to the GLBA. In addition, even if you determine that your hospital is not a financial institution—perhaps because it does not provide long-term payment plans with interest to a large segment of its patient population—it could still be subject to certain obligations under the GLBA if it receives NPI from nonaffiliated financial institutions, such as credit reporting agencies (e.g., if it runs patients' credit before offering them financing). These obligations would restrict how the NPI may be reused and redisclosed.

The GLBA has three main components with which a financial institution, including a hospital, must comply—a Privacy Rule, a Safeguards Rule, and a Pretexting Rule. The GLBA Privacy Rule generally requires financial institutions to provide notice about their privacy policies and practices to consumers. The Privacy Rule also requires financial institutions who disclose NPI to nonaffiliated third parties (outside of certain limited exceptions) to provide consumers with the ability to "opt out" of the information sharing.

The GLBA Safeguards Rule requires financial institutions to assess and address the risks to consumer information in all areas of a company's operations and to design, implement, and maintain systems to safeguard NPI. In particular, it requires the creation and implementation of a written information security program (WISP) that includes administrative, technological, and physical safeguards that are appropriate to the institution's size, the nature and scope of its activities, and the sensitivity of the consumer information it maintains. Financial institutions must continuously evaluate and adjust their WISPs in light of changes to business operations and the results of ongoing monitoring and testing.

The GLBA Pretexting Rule requires financial institutions to protect NPI from individuals seeking to obtain the information under false pretenses. Safeguards against pretexting are generally contained in the WISP, and include techniques such as implementing multi-factor authentication before an account may be accessed.

Noncompliance with the Privacy Rule, Safeguards Rule, and Pretexting Rule can result in significant federal civil and criminal fines and penalties for both a financial institution and its officers and directors. It is therefore critical that your hospital understand whether it is a "financial institution" and, if so, to ensure that it is compliant in all respects with GLBA.